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IN THE CLAIMS: 

L (currently amended) A method for conducting a consistent, documented and yet 
repeatable compliance risk assessment and mitigation process, using a network-based system 
including a server system coupled to a centralized database and at least one client system, said 
method comprising the steps of: 

storing in the database compliance information including at least one questionnaire 
relating to compliance, compliance requirements for each functional area within a business, and 
persons responsible for compliance within each functional area within the business: 

conducting a complianc e program ass es sment; 

displaying a questionnaire on a client system associated with a person responsible for 
compliance with at least one functional area within the business, the questionnaire is transmitted 
from the server system to the client system of the compliance person and is generated using the 
compliance information stored within the database: 

receiving at the server a response inputted by the compliance person to the displayed 
questionnaire: 

processing the response to the displayed questionnaire at the server: 

conducting a prioritization of prioritizing compliance risks for the business including 
identifying compliance risks for each functional area within the business, and prioritizing the 
compliance risks from high to low based on a severity rating of non-compliance : 

identifying, for each compliance risk afea identified, potential compliance failur e s failure 
modes and potential causes and effects of such compliance fai l ur es failure modes : af*d 

storing the risks, the risk priority, the failure modes, and the causes and effects in the 
database: 
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calculating a risk prioritization number (RPN) for each compliance risk identified based 
on the data stored in the databas e , , wherein the RPN represents a relative compliance risk of a 
particular failure mode: and 

e nsuring that implementing risk monitoring and control mechanisms ar e in place to 
mitigate compliance risks based on the calculated RPNs . 

2. (currently amended) A method according to Claim 1 wherein said step of conducting 
a complianc e- program ass e ssm e nt displaying a questionnaire further comprises the steps of: 

developing a binary questionnaire; 

assembling a cross functional team; 

defining what constitutes a "yes" answer for each question in the binary questionnaire; 
identifying and interviewing process owners for the questionnaire answers; 
compiling interview results; and 

summarizing findings and reviewing final results with compliance and functional leaders. 

3. (currently amended) A method according to Claim 1 wherein said step of e onducting 
a prioritization of prioritizing compliance risks further comprises the steps of: 

identifying the compliance risks of at least one of business 1 processes, products, 
environment, and location; and 

prioritizing the business 1 highest risks. 

4. (original) A method according to Claim 1 wherein said step of identifying further 
comprises the steps of: 

analyzing identified high compliance risk areas to determine potential compliance 
failures and root causes; and 

prioritizing actions that need to be taken; and 
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developing policy scorecards to be used as a monitoring and reporting tool. 

5. (original) A method according to Claim 1 wherein said step of identifying further 
comprises the steps of: 

reassembling the cross functional team that was initially used to conduct the compliance 
program assessment; 

mapping high risk process steps; 

beginning a construction of a Failure Mode in Effect Analysis (FEMA); 
assigning severity, occurrence and detection Factors; 
calculating Risk Prioritization Numbers (RPN); 
defining recommended actions to reduce RPNs; and 
defining scorecard content and format. 

6. (currently amended) A method according to Claim 1 wherein said step of ensuring 
that implementing risk monitoring and control mechanisms are in place, further comprises the 
steps of: 

establishing appropriate controls to provide guidance to the business; and 
monitoring that the appropriate controls to mitigate compliance risks. 

7. (currently amended) A method according to Claim 1 wherein said step of e nsuring 
feat implementing risk monitoring and control mechanisms are in place, further comprises the 
steps of: 

developing action items; 

ensuring that the developed action items are completed in a timely manner; and 
establishing and monitoring the controls to mitigate compliance risks. 
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8. (original) A method according to Claim 2 wherein said step of identifying and 
interviewing process owners further comprises the steps of: 

identifying and interviewing for compliance using a knowledge base; and 

identifying and interviewing for compliance using a question owner's matrix. 

9. (original) A method according to Claim 2 wherein said step of compiling interview 
results further comprises the step of compiling interview results using a spreadsheet configured 
for automatically converting the results from qualitative to quantitative and further configured to 
tabulate and graph the results. 

10. (original) A method according to Claim 2 wherein said step of summarizing findings 
further comprises the step of summarizing the results of the assessment of at least one 
compliance program using at least one of a program assessment summary and a policy 
assessment summary. 

1 1 . (original) A method according to Claim 3 wherein said step of prioritizing the 
business 1 highest risk further comprises: 

mapping a high level business risk model; 

compiling a list of compliance requirements; 

prioritizing the list of compliance requirements; 

beginning construction of a quality function deployment (QFD); 

entering a severity rating for non-compliance with requirements; 

assessing and evaluating compliance policies; 

identifying immediate risks and completing constructing of a QFD; and 
prioritizing compliance risk areas. 
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12. (original) A method according to Claim 1 1 wherein said step of mapping the high 
level business risk model further comprises the steps of: 

identifying core processes and products of a business; 

associating business risk with the core processes and products of a business; and 
associating business risk with compliance requirements* 

13. (original) A method according to Claim 1 1 wherein said step of compiling a list of 
compliance requirements further comprises the step of compiling a list of compliance 
requirements including at least one of a company declared policy and/or practice, legal and 
regulatory requirements of a business, contractual requirements, compliance risks and internal 
requirements. 

14. (original) A method according to Claim 1 1 wherein said step of prioritizing the list 
of compliance requirements further comprises prioritizing the severity level of non-compliance 
using a severity matrix, 

15. (original) A method according to Claim 1 1 wherein said step of beginning 
construction of the quality function deployment (QFD) further comprises the steps of: 

beginning construction of the QFD using information generated in mapping the high level 
business risk model with a compliance requirements list developed in making a severity matrix; 
and 

quantifying the results using a risk QFD matrix. 

16. (original) A method according to Claim 1 1 wherein said step of assessing and 
valuating compliance policies further comprises the steps of: 

assessing business routines and controls to ensure compliance with each policy; and 

determining a quality function deployment (QFD) score. 
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17. (original) A method according to Claim 16 wherein said step of determining a 
quality function deployment (QFD) score further comprises the step of determining a QFD score 
as 

process strength rating * severity rating, 

18. (original) A method according to Claim 16 wherein said step of determining a 
quality function deployment (QFD) score further comprises automatically entering the score into 
a risk QFD. 

19. (original) A method according to Claim 1 1 wherein said step of prioritizing risk 
areas further comprises summarizing findings from the risk quality function deployment (QFD) 
using a risk prioritization matrix. 

20. (original) A method according to Claim 1 1 further comprising the step of identifying 
the top three to five compliance requirements having the highest risk. 

21. (original) A method according to Claim 5 wherein said step of mapping the high- 
risk process steps comprises the steps of: 

creating a process map; and 

creating a process map within a failure mode and effect analysis matrix. 

22. (original) A method according to Claim 5 wherein said step of beginning the 
construction of a failure mode and effect analysis matrix further comprises the steps of 
determining potential failure modes for each step in a process, brainstorming potential effects of 
the failure identifying potential causes of the failures and documenting current controls. 

23. (original) A method according to Claim 5 wherein said step of assigning severity, 
occurrence and detection factors further comprises automatically entering the assigned factors 
into the failure mode and effect analysis matrix. 

24. (original) A method according to Claim 5 wherein said step of determining risk 
prioritization numbers further comprises determining the risk prioritization numbers as 
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severity rating x occurrence rating * detection rating. 

25. (original) A method according to Claim 5 wherein said step of defining 
recommended actions to reduce the risk prioritization numbers further includes the step of 
automatically entering at least one of the recommended actions, an owner of the recommended 
action and expected date of completion of the recommended action into the failure mode and 
effect analysis matrix. 

26. (original) A method according to Claim 5 wherein said step of defining 
recommended actions to reduce the risk prioritization number further comprises the steps of 
automatically reassigning ratings and redetermining the risk prioritization numbers* 

27. (original) A method according to Claim 5 further comprising the step of monitoring 
progress in reducing the risk prioritization numbers. 

28. (original) A method according to Claim 27 wherein the step of monitoring progress 
in reducing the risk prioritization numbers comprises monitoring progress in reducing the risk 
prioritization numbers using policy scorecards. 

29. (original) A method according to Claim 1 further comprising the steps of compiling 
an actions items list and creating at least one policy dashboard. 

30. (original) A method according to Claim 1 further comprising the step of monitoring 
metrics relating to training, 

3 1 . (currently amended) A system for identifying and quantifying compliance 
comprising: 

at least one computer; 

a database for storing compliance information including at least one questionnaire 
relating to compliance, compliance requirements for each functional area within a business, and 
persons responsible for compliance within each functional area within the business; 
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a server configured to r e ad input information r e lating to id e ntifying and quantifying 
complianc e , as se ss at least on e complianc e program, prioritiz e ri s k, id e ntify issues relating to th e 
risk and mitigat e and control to r e solv e th e issu e s ; and 

a network connecting said computer to said serve r, wherein said server configured to:i 

a us e r interface allowing a us e r to input information r e lating to id e ntifying and 
quantifying complianc e . 

display a questionnaire on said computer associated with a person responsible for 
compliance with at least one functional area within the business, the questionnaire is 
transmitted from said server to said computer of the compliance person and is 
generated using the compliance information stored within the database; 

receive a response inputted by the compliance person to the displayed questionnaire; 

process the response to the displayed questionnaire; 

prioritize compliance risks for the business including identifying compliance risks for 
each functional area within the business, and prioritizing the compliance risks from 
high to low based on a severity rating of non-compliance ; 

identify, for each compliance risk identified, potential compliance failure modes and 
potential causes and effects of such compliance failure modes; 

store the risks, the risk priority, the failure modes, and the causes and effects in the 
database; 

calculate a risk prioritization number (RFN) for each compliance risk identified based 
on the data stored in the database, wherein the RPN represents a relative compliance 
risk of a particular failure mode; and 

recommend risk monitoring and control mechanisms to mitigate compliance risks 
based on the calculated RPNs, 
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32. (currently amended) A system according to Claim 31 wherein said server configur e d 
to ass e ss at l e ast on e complianc e program is further configured to assemble a cross function 
team, identify and interview for compliance, compile interview results and summarize the results 
of the assessment of at least one compliance program. 

33. (original) A system according to Claim 32 wherein said server configured to 
assemble a cross-functional team is configured to assemble a cross-functional team using a 
knowledge base within said server. 

34. (original) A system according to Claim 32 wherein said server configured to 
assemble a cross-functional team using a knowledge base is further configured to create a 
questionnaire that includes a plurality of binary questions relating to compliance and define what 
constitutes an affirmative answer to the questions. 

35. (original) A system according to Claim 32 wherein said server configured to identify 
and interview for compliance is configured to identify and interview for compliance using a 
knowledge base within said server. 

36. (original) A system according to Claim 35 wherein said server configured to identify 
and interview for compliance is further configured to identify and interview for compliance 
using a question owner's matrix, 

37. (original) A system according to Claim 32 wherein said server configured to 
compile interview results using a spreadsheet is configured to compile interview results using a 
spreadsheet configured for automatically converting results from qualitative to quantitative and 
to tabulate and graph results. 

38. (original) A system according to Claim 32 wherein said server configured to 
summarize the results of the assessment is configured to summarize the results of the assessment 
using at least one of a program assessment summary and a policy assessment summary, 

39. (original) A system according to Claim 31 wherein said server configured to 
prioritize the risk is further configured to map a high level business risk model, compile a list of 
compliance requirements, prioritize the list of compliance requirements, construct a quality 
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function deployment (QFD) matrix, assign a severity rating for non-compliance with 
requirements, assess and valuate compliance policies, identify at least one immediate risk and 
prioritize compliance risks areas, 

40. (original) A system according to Claim 39 wherein said server configured to map 
the high level business risk model is further configured to identify at least one core process and 
product of a business, associate business risk with at least one core process and product of a 
business and associate business risk with compliance requirements. 

41 . (original) A system according to Claim 39 wherein said server configured to 
compile a list of compliance requirements is configured to compile a list of compliance 
requirements including at least one of a company declared policy and/or practice, legal and 
regulatory requirements of a business, contractual requirements, compliance risks and internal 
requirements. 

42. (original) A system according to Claim 39 wherein said server configured to 
prioritize the list of company requirements is configured to prioritize the severity level of each 
occurrence of non-compliance in accordance with a severity matrix. 

43. (original) A system according to Claim 39 wherein said server configured to 
construct the quality function deployment (QFD) matrix is further configured to construct the 
QFD matrix using information generated in mapping the high level business risk model with the 
compliance requirements list developed in creating a severity matrix. 

44. (original) A system according to Claim 39 wherein said server configured to 
construct the quality function deployment (QFD) matrix is configured to quantify results using a 
risk QFD matrix. 

45. (original) A system according to Claim 39 wherein said server configured to assess 
and evaluate compliance policies is configured to assess business routines and controls to ensure 
compliance with each policy and determine a quality function deployment (QFD) score. 

46. (original) A system according to Claim 45 wherein said server configured to 
determine a quality function deployment (QFD) score is configured determine a QFD score as 
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process strength rating x severity rating. 

47. (original) A system according to Claim 45 wherein said server configured to 
determine a quality function deployment (QFD) score is further configured to automatically enter 
the QFD score into a risk QFD matrix, 

48. (original) A system according to Claim 39 wherein said server configured to 
prioritize compliance risk areas is further configured to summarize findings from the risk quality 
function deployment (QFD) matrix in accordance with a risk prioritization matrix. 

49. (original) A system according to Claim 39 wherein said server is further configured 
to identify the top three to five compliance requirements having the highest risk. 

50. (original) A system according to Claim 31 wherein said server configured to identify 
issues relating to risk is further configured to assemble a cross-functional team, map the high risk 
process steps, construct a failure mode and effect analysis matrix, assign severity, occurrence and 
detection factors, determine risk prioritization numbers and define recommended actions to 
reduce the risk prioritization numbers. 

51. (original) A system according to Claim 50 wherein said server configured to map 
the high-risk process steps is further configured to create a process map. 

52. (original) A system according to Claim 50 wherein said server configured to create a 
process map is configured to create a process map in accordance with a failure mode and effect 
analysis matrix. 

53. (original) A system according to Claim 50 wherein said server configured to 
construct a failure mode and effect analysis matrix is further configured to determine potential 
failure modes for each step in a process, brainstorm potential effects of the failures to identify 
potential causes of the failures and documents current controls, 

54. (original) A system according to Claim 50 wherein said server configured to 
determine risk prioritization number is configured to determine risk prioritization numbers as 

severity rating x occurrence rating x detection rating. 
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55. (original) A system according to Claim 50 wherein said server configured to assign 
a severity rating, occurrence and detection factors is further configured to enter the assigned 
factors into the failure mode and effect analysis matrix. 

56. (original) A system according to Claim 50 wherein said server configured to define 
recommended actions is further configured to automatically enter at least one of the 
recommended actions, an owner of the recommended action, and expected date of completion of 
the recommended action into the failure mode and effect analysis matrix. 

57. (original) A system according to Claim 50 wherein said server configured to define 
recommended actions to reduce the risk of prioritization numbers is further configured to 
reassign ratings and redetermine the risk prioritization numbers. 

58. (original) A system according to Claim 50 wherein said server is further configured 
to monitor progress in reducing the risk prioritization numbers using policy scorecards. 

59. (original) A system according to Claim 50 wherein said server configured to 
mitigate is further configured to compile an actions items list and create at least one policy 
dashboard. 

60. (original) A system according to Claim 31 wherein said server is configured to allow 
a user to submit information relating to the identification and quantification of compliance via 
the Internet. 

61. (original) A system according to Claim 31 wherein said server is configured to allow 
a user to submit information relating to the identification and quantification of compliance via an 
Intranet. 

62. (original) A system according to Claim 31 wherein said network is one of a wide 
area network and a local area network, 

63. (currently amended) A computer programmed to: 

prompt a user - to identify pot e ntial risks and failur e mod e s and root causes associated with 
th e ri s ks within a complianc e program ? 
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prioritiz e th e - risk s ; and 

p r ompt - th e us e r with - at - l e ast on e mitigation plan to d e al with at l e ast - on e of - th e id e ntifi e d 
risks, failur e mod e s, and root cau se s? 

store in a database compliance information including at least one questionnaire relating to 
compliance, compliance requirements for each functional area within a business, and persons 
responsible for compliance within each functional area within the business; 

display a questionnaire for a person responsible for compliance with at least one 
functional area within the business, the questionnaire is generated using the compliance 
information stored within the database; 

receive a response inputted by the compliance person to the displayed questionnaire; 

process the response to the displayed questionnaire; 

prioritize compliance risks for the business including identifying compliance risks for 
each functional area within the business, and prioritizing the compliance risks from high to low 
based on a severity rating of non-compliance: 

identify, for each compliance risk identified, potential compliance failure modes and 
potential causes and effects of such compliance failure modes: 

store the risks, the risk priority, the failure modes, and the causes and effects in the 
database: 

calculate a risk prioritization number (KPN) for each compliance risk identified based on 
the data stored in the database, wherein the RPN represents a relative compliance risk of a 
particular failure mode: and 

recommend risk monitoring and control mechanisms to mitigate compliance risks based 
on the calculated RFNs. 

64. (original) A computer according to Claim 63 further programmed to prompt a user 
to identify process owners within the compliance program. 
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65. (original) A computer according to Claim 63 wherein to identify the risks and failure 
modes and root causes, said computer displays a computer generated screen comprising a 
questionnaire relating to compliance. 

66. (original) A computer according to Claim 65 wherein the questionnaire comprises a 
question owners matrix. 

67. (original) A computer according to Claim 66 wherein said question owners matrix 
comprises a listing of compliance assessment areas. 

68. (original) A computer according to Claim 63 further programmed to calculate a 
percentage of compliance. 

69. (original) A computer according to Claim 65, said computer further programmed to 
tabulate and graph questionnaire results. 

70. (original) A computer according to Claim 63 wherein to prompt a user with a 
mitigation plan, said computer displays a computer generated screen comprising at least one of a 
completed questionnaire, a summary of current status, improvement opportunities, action plans, 
potential best practices, a program summary and a policy assessment summary. 

71. (original) A computer according to Claim 63 wherein to prioritize the risks said 
computer is programmed to: 

assess compliance risk; and 

relate risks to processes, products and environments. 

72. (original) A computer according to Claim 63 wherein to prioritize the risks said 
computer is programmed to prioritize a list of compliance requirements based upon a severity of 
non-compliance. 

73. (original) A computer according to Claim 72 further programmed to organize the list 
of compliance requirements using a severity matrix format. 
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74. (original) A computer according to Claim 72 further programmed to generate a risk 
quality function deployment matrix, using compliance requirements and severity ratings for non- 
compliance of each compliance requirement. 

75* (original) A computer according to Claim 72 further programmed to calculate risk 
prioritization numbers using at least one of severity ratings, a likelihood of occurrence factor and 
a detection ability factor. 

76, (currently amended) A computer program embodied on a computer readable 
medium for managing compliance risk assessment to enable businesses to develop broader and 
deeper coverage of compliance risks, using a network based system including a server system 
coupled to a centralized database and at least one client system, said computer program 
comprising a code segment that: 

dev e lops a qu e stionnair e bas e d on list of compliance r e quir e m e nts and stor e s th e 
qu e stionnair e into a c e ntralized databas e ; 

r e cords and proc e ss e s qualitativ e r e spons e s against e ach of th e qu e stions id e ntifi e d in th e 
qu e stionnair e ; 

c o nv e rts th e qualitativ e- r e spons e s to quantitativ e r e sult s bas e d on pr e- d e t e rmin e d crit e ria 
and d e v e lops complianc e risk ass e ssm e nt output to e nabl e busin e ss e s to r e duc e ri s ks-an d 
improv e profits r 

stores in the database compliance information including at least one questionnaire 
relating to compliance, compliance requirements for each functional area within a business, and 
persons responsible for compliance within each functional area within the business: 

displays a questionnaire on a client system associated with a person responsible for 
compliance with at least one functional area within the business, the questionnaire is transmitted 
from the server system to the client system of the compliance person and is generated using the 
compliance information stored within the database; 

receives a response inputted bv the compliance person to the displayed questionnaire; 
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processes the response to the displayed questionnaire at the server; 

prioritizes compliance risks for the business including identifying compliance risks for 
each functional area within the business, an d prioritizing the compliance risks from high to low 
based on a severity rating of non-compliance : 

identifies, for each compliance risk identified, potential compliance failure modes and 
potential causes and effects of such compliance failure modes; 

stores the risks, the risk priority, the failure modes, and the causes and effects in the 
database; 

calculates a risk prioritization number (RPN) for each compliance risk identified based on 
the data stored in the database, wherein the RPN represents a relative compliance risk of a 
particular , fail u re mode; and 

recommends risk monitoring and control mechanisms to mitigate compliance risks based 
on the calculated RPNs. 

77. (original) The computer program as recited in Claim 76 further comprising a code 
segment that compiles list of compliance requirements and prioritizes list of compliance 
requirements based on relative severity of non-compliance. 

78. (original) The computer program as recited in Claim 77 further comprising a code 
segment that compiles list of compliance requirements based on at least one of Regulatory 
Requirements, Contractual Requirements, Internal Policy Requirements and Spirit/ Letter 
Requirements. 

79. (original) The computer program as recited in Claim 77 further comprising a code 
segment that; 

stores severity rating for non-compliance requirements; 

accesses strength of business routines and controls to ensure compliance with each 

policy; 
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computes a QFD score; and 

prioritizes compliance risk areas according to risk criteria and process control strengths. . 

80. (original) The computer program as recited in Claim 79 further comprising a code 
segment that links business's core process to key compliance risks, 

81 . (original) The computer program as recited in Claim 76 further comprising a code 
segment that summarizes findings in an easily readable graphical and table formats. 

82. (original) The computer program as recited in Claim 79 further comprising a code 
segment that: 

reports progress since last review; 

identifies focus areas for next review and defines specific recommended steps that 
business managers can implement to reduce risks, 

83. (original) The computer program as recited in Claim 76 further comprising a code 
segment that generates management reports for at least one of business groups, departments, 
regions, and countries. 

84. (original) The computer program as recited in Claim 76 further comprising a code 
segment that identifies opportunities for each businesses. 

85. (original) The computer program as recited in Claim 76 wherein the network is a 
wide area network operable using a protocol including at least one of TCP/IP and IPX. 

86. (original) The computer program as recited in Claim 76 wherein the data is received 
from the user via a graphical user interface. 

87. (original) The computer program as recited in Claim 76 further comprising a code 
segment that develops questionnaires based on pre-stored assumptions in the database. 
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88. (original) The computer program as recited in Claim 76 wherein the client system 
and the server system are connected via a network and wherein the network is one of a wide area 
network, a local area network, an intranet and the Internet. 

89. (original) The computer program as recited in Claim 76, and further comprising a 
code segment that monitors the security of the system by restricting access to unauthorized 
individuals. 

90. -118, (cancelled) 
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